'Govt will not pass laws to ban encryption' – Baroness Shields

PM didn't mean it when he repeatedly said he'd ban encryption


The government has "no intention" of introducing legislation to weaken encryption, minister for internet safety and security Baroness Shields told the House of Lords in the wake of the TalkTalk cyber attack debacle.

The debate was brought by Liberal Democrat Lord Strasburger, who claimed Cameron "does not seem to get" the need for strong encryption standards online, with no back door access.

Strasburger said: "[Cameron] three times said that he intends to ban any communication 'we cannot read', which can only mean weakening encryption. Will the Minister [Shields] bring the Prime Minister up to speed with the realities of the digital world?"

However, Shields, former digital advisor to Cameron and chair of Tech City UK, denied Cameron intended to introduce laws to weaken encryption.

Liberal Democrat peer Lord Clement-Jones asked if she could "absolutely confirm that there is no intention in forthcoming legislation either to weaken encryption or provide back doors."

Shields replied: "I can confirm that there is no intention to do that; that is correct."

She said: "The Prime Minister did not advocate banning encryption; he expressed concern that many companies are building end-to-end encrypted applications and services and not retaining the keys.

She added that companies that provide end-to-end encrypted applications, such as Whatsapp, which is apparently used by the terror group calling itself Islamic State, must be subject to decryption and that information handed over to law enforcement "in extremis".

Earlier this year prime minister David Cameron pledged to ban or "back-door" encrypted communications in the UK if the Conservatives win the next election.

"The question remains, are we going to allow a means of communication where it simply isn't possible to [intercept]?" Cameron continued. "And my answer to that is: no, we must not. The first duty of any government is to keep our country and our people safe."

On Monday the UK's digital minister Ed Vaizey floated the idea of adding kitemarks to websites that have strong security measures in place, following the attack on TalkTalk's business last week. ®

Broader topics


Other stories you might like

  • Protecting data now as the quantum era approaches
    Startup QuSecure is the latest vendor to jump into the field with its as-a-service offering

    Analysis Startup QuSecure will this week introduce a service aimed at addressing how to safeguard cybersecurity once quantum computing renders current public key encryption technologies vulnerable.

    It's unclear when quantum computers will easily crack classical crypto – estimates range from three to five years to never – but conventional wisdom is that now's the time to start preparing to ensure data remains encrypted.

    A growing list of established vendors like IBM and Google and smaller startups – Quantum Xchange and Quantinuum, among others – have worked on this for several years. QuSecure, which is launching this week after three years in stealth mode, will offer a fully managed service approach with QuProtect, which is designed to not only secure data now against conventional threats but also against future attacks from nation-states and bad actors leveraging quantum systems.

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Europe proposes tackling child abuse by killing privacy, strong encryption
    If we're gonna go through this again, can we just literally go back in time?

    Proposed European regulations that purport to curb child abuse by imposing mass surveillance would be a "disaster" for digital privacy and strong encryption, say cybersecurity experts.

    A number of options have been put forward for lawmakers to mull that aim to encourage or ensure online service providers and messaging apps tackle the "detection, removal, and reporting of previously-known and new child sexual abuse material and grooming."

    These options range from voluntary detection and reporting of child sexual abuse material (CSAM) and grooming, to legally mandating that service providers find and report such material using whatever detection technology they wish — essentially scanning all private communications and, if necessary, breaking end-to-end (E2E) encryption for everyone.

    Continue reading
  • OpenSSH takes aim at 'capture now, decrypt later' quantum attacks
    Guarding against the forever almost-here crypto-cracking tech

    OpenSSH 9 is here, with updates aimed at dealing with cryptographically challenging quantum computers.

    The popular open-source SSH implementation aims to provide secure communication in a potentially unsecure network environments. While version 9 is ostensibly focused on bug-fixing, there are some substantial changes lurking within that could catch the unwary, most notably, the switch from the legacy SCP/RCP protocol to SFTP by default.

    The OpenSSH group warned the change was coming earlier this year, with a deprecation notice in February's version 8.9 release. Experimental support for transfers using the SFTP protocol as a replacement for the SCP/RCP protocol turned up in version 8.7 in August 2021 with the warning: "It is intended for SFTP to become the default transfer mode in the near future."

    Continue reading
  • IBM powers up cloud service for managing crypto keys
    As in encryption, not coins, thankfully

    IBM has unveiled a cloud-based key management service that should make it easier for organizations to manage encryption keys across complex multi-cloud hybrid environments, as well as on-premises.

    The new support comes in the form of the Unified Key Orchestrator, a multi-cloud key management product sold as a managed service as part of IBM's Cloud Hyper Protect Crypto Services.

    Many organizations have by now adopted a multi-cloud strategy, hosting workloads in the most advantageous location, whether that is in a public cloud or in the organization's own datacenter.

    Continue reading
  • Dems propose privacy-respecting digital dollar
    ECASH Act calls for Treasury to develop electronic currency, no blockchain required

    House Democrats on Monday plan to introduce a law bill that calls for the development of an electronic version of the US dollar that has the same legal status and privacy expectations as physical currency.

    The bill, titled Electronic Currency and Secure Hardware (ECASH) Act, would direct the US Treasury Department to establish a program to coordinate the development and implementation of e-cash and the technology necessary to support it, such as cryptographic hardware.

    Sponsored by Rep Stephen Lynch (D-MA), Chairman of the Task Force on Financial Technology, and by Rep Jesús "Chuy" García (D-IL), who serves on the Committee on Financial Services, the ECASH Act represents a response to recent calls by the US Federal Reserve and the Biden administration to promote the development of digital assets.

    Continue reading
  • Samsung shipped '100 million' phones with flawed encryption
    Academics found TrustZone-level code could not be trusted to keep secrets

    Academics at Tel Aviv University in Israel have found that recent Android-based Samsung phones shipped with design flaws that allow the extraction of secret cryptographic keys.

    The researchers – Alon Shakevsky, Eyal Ronen, and Avishai Wool – describe their work in a paper titled, "Trust Dies in Darkness: Shedding Light on Samsung's TrustZone Keymaster Design," which is scheduled for presentation at Real World Crypto and USENIX Security, 2022.

    Android smartphones, which pretty much all use Arm-compatible silicon, rely on a Trusted Execution Environment (TEE) supported by Arm's TrustZone technology to keep sensitive security functions isolated from normal applications. These TEEs run their own operating system, TrustZone Operating System (TZOS), and it's up to vendors to implement the cryptographic functions within TZOS.

    Continue reading

Biting the hand that feeds IT © 1998–2022